?
Solved

UDP Syslog Traffic versus Raw Network Capture

Posted on 2013-12-20
3
Medium Priority
?
512 Views
Last Modified: 2013-12-22
I have a diagram where there is a line of  UDP syslog traffic flowing from a switch to a web security device and another line extending from the switch to a live-human monitoring station.
What is the difference between UDP syslog traffic and raw network traffic?
0
Comment
Question by:brothertruffle880
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 22

Accepted Solution

by:
eeRoot earned 668 total points
ID: 39733251
Depends on how the capture tools have been configured.  But generally speaking, syslog servers will show a log of events (alerts, informational, debugging, etc) while monitoring network traffic shows every packet that goes across your network.  Network monitors (such a spanned/mirrored ports or hardware tabs) show much more info, but it can be too much info sometimes.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 668 total points
ID: 39733284
Log vs packets. The traffic payload details are mostly found in packet or raw traffic while the syslog would have normalised and surface the events depending how device source is configured. Syslog is at max based on rfc 5424 (http://tools.ietf.org/html/rfc5424) at 2048bytes. Packet capture has much larger size storage needed, e.g. it can be est 32 MB file saved every 15 minutes

Specifically the raw syslog data can be substantial depending on typical severity level that is set e.g. level (0 to 7): emergencies (0), alerts (1), critical (2), errors (3), warnings (4), notifications (5), informational (6), or debugging (7). The higher the level, the more messages (and types of messages) that are generated.

You tend to pipe the SPAN port of switch which carries the same raw traffic to further analysis such as AV scan, content filter, breach detection system passive inline deployed. in other words with raw packet traffic you can do more but with log you only get what the source wanted you to see. SIEMS  is mostly the reason for having centralised logging of all syslog piped to it.

While there are no strict guidelines pertaining to the log format, most syslog messages are generated in human-readable form with the assumption that capable administrators should be able to read them and understand their meaning.  Note that standard syslog protocol does not have mechanisms to provide confidentiality for the messages in transit. In most cases, passing clear-text messages is a benefit to the operations staff as compared to the raw packets from the wire.  The operations staff may be able to read the messages and associate them with other events seen from other packets crossing the wire to track down and correct problems.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 664 total points
ID: 39733582
One way to think of the difference between syslog data and raw network traffic is the difference between a MS Word Document and a file.  

While a MS Word Document and a MS Excel Spread sheet are both files, what make them differnet/unique is the content within the file.  So MS Word document is a subset of "files."

Syslog data is really a subset of "raw network data."

As the others have posted, my guess in your case, the "raw network data" is a result of port mirroring (either using SPAN or RSPAN or something like that) vs. a connection that is setup to send traffic to a syslog server.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question